Menu

Cyber Warfare and Attribution: Challenges in International Law

Publications, Research paper

Abstract:

Cyber warfare is a term often used in media and academic discussions, although it lacks an universally  agreed  definition,  in  2001,   Alford  described it  as, “Any  action  which  aimed at forcing an opponent to follow a nation’s will, by targeting them on their software systems that control the operations.” In simple words, cyber warfare refers to the use of digital tools like hacking, malware, or denial-of-service attacks by one country or organisation to harm another country’s computer systems.

The primary goal of cyber warfare is to cause major harm, which can be either physical, like cut down a power, or virtual, like stealing important data. The threat of the cyber-attacks has increased significantly with the countries becoming more dependent on the digital infrastructure. These attacks can disturb economies, government functions, and even society at large.

One major issue with cyber warfare when trying to hold someone accountable is that attackers can hide their identity using the internet. This makes it hard to know who was responsible, which creates problems. The nature of the internet is without warning; these attacks can come from anywhere crossing borders. This creates challenges for international law, which is still not totally equipped to operate cyber threats.

This paper includes how cyber warfare is changing the modern problems in applying existing international law to it, and the difficulty of identifying the attribution. It will also look at how cyber-attacks affect national sovereignty and review important case laws that influences legal thinking in this area. In the end, it will suggest ways to improve the international legal system for better management and regulate cyber conflicts.

Key Words: Attribution, Cyber Attacks, Cyber Warfare, International Law, Non-State Actors, Sovereignty, State Responsibility, Tallinn Manual, UN Charter.

Introduction:

The new media age has changed how different countries communicate with each other, do businesses, and even fight wars. In recent times, one of the biggest problems to global security and peace is cyber warfare that is the use of digital attacks to harm or destroy another country’s computer systems, networks, infrastructure, or information. Governments now use cyber tools for spying and also to damage another country’s essential services like power, defence system, and communication systems.

Cyber warfare is different from regular warfare. Unlike battles that fought on land, sea, air, or even in the space, cyberattacks happen in a virtual space that people cannot see or touch, dur to which it is hard to control or respond to such attacks. Also, the continuous development of the technology adds to the difficulty in creating proper rules and laws to look on the cyber conflicts.

After land, sea, air, and space cyber warfare is also known as the “fifth domain” of warfare. As it is still new in the legal world, countries and international bodies like are trying to figure out how to govern it. Traditional legal concepts such as the principle of distinction and attribution are harder to apply in the cyber situations.

The connection of hackers that not officially working for a country further complicates things. In many situations, it is unsure whether the government ordered the attacks or whether it had been done independently by any group. These things make it hard for international law to respond correctly.

To better understand these issues, the paper will look at some real-world examples like:

  1. The 2016 U.S. Presidential Election interference, and
  2. The large-scale cyberattacks seen in 2022 Russia-Ukraine War.

These case studies shows how cyber warfare works in practice and how the international law has been struggled or even failed to deal with it. They highlight the challenges in identifying various attackers, protecting local systems, and creating honest responses.

Research Methodology:

The study is comparative one and research is done through primary source like International Court of Justice Judgements. Journal, articles, and website are some of the secondary sources which have been used for conducting research. It also includes case studies like Russia-Ukraine War (2022), The U.S. Presidential Election interference (2016), The Sony Pictures Hack (2014), Take It Down Act, China’s hack into US Telecom system (2014), etc. This paper focuses on the qualitative analysis to identify gaps in the legal attribution devices and suggests applicable reforms in light of state practices and technological advancements.

Literature Review:

  1. Geneva Conventions: 

The Geneva Conventions and their protocols are kind of the international laws that focus on treating people kindly during the wars. These rules are also applied to cyber warfare. It requires that any cyberattacks must follow some important principles like distinction that is not targeting civilians, proportionality, and necessity means only attacking when its needed. This means countries must ensure that their cyber operations should not harm innocent people or public places like hospitals and schools.

  1. Tallinn Manual 2.0: 

The Tallinn Manual is a guide which is written by experts at NATO’s Cooperative Cyber Defence Centre of Excellence. It explains that how international law is used in cyberspace and during the cyber warfare. Although it’s not legally binding, but still an important resource which helps countries to understand how to follow the law when dealing with cyber threats. The manual discusses rules like jus ad bellum which means laws about starting war, jus in bello that is laws about how to fight during war, and state sovereignty. Particularly rule 7 of the Tallinn manual talks about the attribution which helps in figuring out who carried out the cyberattack. It discloses that this is usually very difficult and requires strong evidence. This rule talks about both direct and indirect responsibility, but it does not provide any manner to punish those who break the rules.

  1. UN Frameworks: 

The United Nations has tried to make the rules for the people of responsible behaviour in cyberspace through some groups like the Group of Governmental Experts and the Open-Ended Working Group. These kinds of efforts are meant to help countries to work together and avoid their conflict particularly in cyberspace. Although, the progress has been slow down because of the countries, majorly western and non-western powers, usually disagree  on important key issues. This lack of agreement makes it difficult to create the strong, binding rules that must be followed by everyone.

Ethics of War in International Law:

Attribution: 

One of the major problems in dealing with cyber warfare is finding out who is responsible for an attack, this is called attribution. In cyberspace, it’s difficult to understand who did what because attackers usually hide their identity, they use fake locations, or go through the third-party servers. Sometimes non-state actors are involved, which makes it even more difficult to find out about the attackers.

According to Tallinn Manual rule, if any non-state actor launches a cyberattack, it can be considered as an official act of war if that action is clearly linked to the government. In other words, if the country is supporting or controlling any hacker group, then the attack might be treated as a use of force by the state itself.

There is also an ongoing debate about reforming the old Caroline Test, which usually sets rules for anticipatory self-defence, means protecting yourself before an attack happens. The Caroline Test defines as a country can only use force if the threat is urgent, and leaves no time to think or use about other options. This idea is an important in cyber warfare because the countries may think to act fast to stop incoming cyberattack, but only when are sure who is behind it.

Attribution is not only paramount for self-defence, but also for holding the people or governments legally responsible for cyberattacks. If any proper evidence exists, the case can also go to international courts like the International Criminal Court or the International Court of Justice. 

Distinction

In the ethics of war and International Law, the principle of distinction works as a key idea. It aims that fighters must always separate the civilians from military targets during an attack. This is especially difficult in cyber warfare because cyberattacks usually affect public services, like hospitals, schools, or government websites, on which many peoples are depended.

Some cyberattacks also spread false information or cause psychological injury, which may impact both civilians and military forces, which blurs the line between who are being targeted. Today many systems have used dual purposes, they serve both military and general public needs. Because of this, it becomes quite difficult to apply the rule of distinction. However, under international law, dual-use of objects can be treated as military targets if they serve for a military purpose.

So, deciding whether particular thing is a legal target during a cyber conflict is an important issue. This makes the principle of distinction very important when making laws to govern cyber warfare.

Attribution Responsibility to a State:

If a cyberattack is tracked down to a country, the country which is attacked must figure out how much responsible that country is before taking any particular action in response. For example, if the state which has been attacked can find out where the cyberattacks are physically started, it must then ask: Did the country from where the attack came from have idea about it? Did they allow it to be happen? Did they have tried to stop it? Or even did they support or direct it? The victim state should consider many things like these, whether the country had detected the attack, allowed or encouraged it, had the power to stop it, or were possibly behind it. Sometimes, a country may also allow some cyber activities like collecting information, but they had drawn the line at harmful attacks that damage the systems.

There is also something important called “imputed attribution.” It means the country can be blamed for any cyberattack even if they didn’t directly do it, but have failed to stop people in its territory from doing that attack. If a country allows its land to be used as a safe space for non-state actor and doesn’t try to prevent attacks coming from there, then it may still be held responsible. However, international law deems that usually, a country is not blamed for individual’s actions except the government has officially given them the power to act on their behalf. That’s why figuring out who is behind the cyberattack, that is the process of attribution is important, especially when the non-state actors like hackers are being involved. It helps to know and decide whether these groups are acting on their own or with the help of their government.

The ‘Non-State Actor’ Concept:

In international law, a non-state actor is a person or a group that is not officially representing any country but still plays a crucial role in global matters. These can include like terrorist groups, resistance movements, private cyber experts or even civilian hackers. They usually did not follow the rules that are applied to governments and state actions, which makes dealing with them even more difficult.

Today, especially with cyber warfare, non-state actors are becoming more familiar. Many cyberattacks are being carried out by these groups instead of by the governments. It creates problems for international law because the rules were specially made for situations where countries fight with each other, not for when any individuals or groups launch an attack on their own.

This also makes it difficult to decide when a cyberattack is serious enough to allow the country to defend themselves under international law. For the state to legally respond with self-defence, the attack generally has to be considered an “act of force” which is carried out by another state. This is where Articles 2(4) and 51 of the UN Charter is used. Article 2(4) says that countries should not use force or threats in any international relations. And for these Article 51 allows countries to defend themselves if such kind of force is used against them.

Case Study:

  1. Russia-Ukraine War (2022)

The most recent example of cyber warfare during an armed conflict is the Russia-Ukraine war, earlier in Russo-Georgian war of 2008, the same legal and ethical issues were seen as in the Russia-Ukraine War. In this conflict, Russian government have backed hackers and criminal groups that had targeted Ukrainian civilian services like government offices, power stations and TV stations. In one of the major incidents in February 2023, a group called ATK256 have attacked several Ukrainian public bodies. They’re the major challenge was attribution, for figuring out if the Russian government is directly responsible, especially as many attacks are being carried out by non-state actors like pro-Russian hacker’s groups, which makes legal action and self-defence in response under international law more difficult. The principle of distinction, which says public and public services should not be targeted had also been ignored. The attacks have affected not just Ukraine’s military forces but also civilian infrastructure and even spread and increased up to other European countries. This raises concerns about the involved countries which are not officially part of the war. Overall, the Russia-Ukraine war shows it is separate from traditional welfare as the cyber warfare is becoming more common and prominent nowadays. It means to better handle these new types of conflict international law must either create specific rules for cyber warfare or update the existing ones.

  1. The U.S. Presidential Election interference (2016)

As Russia was active in cyber operations to interfere in the 2016 U.S. Presidential election. A report by the special counsel confirmed that Russia sought to interfere in the election. As the report showed, Russian operations used social media to disseminate lies and produce chaos among the electorate: this was intended to plant “information malware.” While U.S. intelligence agencies have said a look into Russia’s actions did confirm they were behind them, proving it in court or legally holding someone responsible has been a challenge.

  1. The Sony Pictures Hack (2014)

The 2014 hacking of Sony Pictures provides another example of the challenge in proving who is behind a cyberattack. The hack was tied to North Korean hackers through the movie. The Interview, which involve North Korea leader. The U.S. retaliated by putting in place sanctions against North Korea. But the decision was made largely on hints and intelligence reports, not hard evidence. This case has disturbing implications for what kind of evidence is required to legally blame a country for a cyber-attack.

  1. Take It Down Act

The ‘Take It Down Act’ was the new bill that makes it a very serious crime to knowingly share or threaten someone to share private, intimate images of someone online without their permission. This also involve fake but realistic images which are made using Artificial Intelligence, where someone’s face is added to any such photos. The bill was introduced by U.S. Senators and was passed unanimously in the Senate earlier in this year. If the bill becomes law, people who share private images of minors without consent could face imprisonment up to three years, while those sharing such images of adults could get up to two years imprisonment as punishment. Also, for threatening to share such images can lead to up to two and a half years in jail for minors and one and a half years if it involves adults. The bill also clearly states that just because someone agreed to take an image doesn’t mean they are agreed for it to be shared publicly.

  1. China’s hack into US Telecom system (2014)

China has been blamed for a new, massive cyberattack that allegedly penetrated deep into the U.S. telecommunication system. The hackers “were able to listen to phone conversations, as well as `read text messages, even those involving high-level officials, such as then-President Donald Trump and Vice President JD Vance. The group behind the attack was linked to believes that a group connected to Chinese intelligence carried out the attack. The hack was discovered by Microsoft’s cybersecurity team, which named it “Salt Typhoon.”

Suggestions:

  1. Improving International Cooperation and Sharing Information:

Countries need to work together more closely and share more important information, for better control of cyber warfare. This includes sharing information about the cyber threats, how to handle such attacks, and what has been worked well when such kind of attacks occur in the past. When countries cooperate with each other like this, they can detect cyber threats easily, stop the attacks before they actually happen, and respond accordingly. This teamwork can help to build stronger protection for everyone against the cyber warfare.

  1. Creating Clear Definitions and Rules for the Cyber Warfare:

Today, there is confusion about what really is the cyber warfare. There must be clear and agreed-upon rules about which type of cyberattacks are serious enough to be considered as an act of war. Having clear and proper definitions will help citizens of the countries to understand when they are allowed to reply, and what kind of response is fair and legal. This will help to make international laws on cyber warfare easier to understand and apply.

  1. Setting Up the International Cyber Dispute Centres:

There can be special international groups or courts that will deal with problems caused by the cyberattacks. These bodies will help to solve disputes between the countries peacefully, and can make sure the attackers are punished accordingly, and help victims to get proper compensation. These centres will work similar as other international courts but focus only on cyber issues.

  1. The Role of Organizations like the UN and NATO:

Global organizations like the United Nations and North Atlantic Treaty Organization can help to manage the cyber warfare. The UN can help to create new international laws and rules for the cyberspace. NATO can help the member of its countries to defend each other against cyberattacks. Both organizations can  support the cooperation and training between different countries to improve and better cybersecurity across the world.

Conclusion:

Attribution in cyberspace that is figuring out who is behind a cyberattack is quite difficult. This is because of how the internet works, the lack of proper international laws for the cyberattacks, and the challenges of proving whether the country is actually responsible for it. Cyber attackers easily hide their location and identity, which makes it difficult to know who actually did it. For a country that has been attacked that is the victim state, identifying who is responsible for it is crucial before taking any legal or defensive actions by the country.

Though many experts focus only on the technical side of finding cyberattacks, attribution involves more than just technology to find out. It requires an in-depth investigation into many factors, such as who may have been benefited from such attack, what tools have been used, and whether the state had allowed or supported the attack. Today, hackers are more skilled and expert than ever, and they usually take advantage of the confusion around attribution. If the country cannot clearly show who attacked it, then any kind of response it takes may lack the legal justification. 

Under the international law, a country must prove that a cyberattack should meets a certain level of seriousness, like the “use of force” or “armed attack”, before taking any action in self-defence. But the law does not properly define these terms for cyberattacks. This makes it even harder for the states which has been attacked to hold attackers accountable or respond accordingly. That’s the reason there is a need for proper legal definitions and international agreement on how to handle the cyberattacks. For these all countries must work together to create common rules and standards. This would help to reduce confusion and can make it easier to prove who is responsible. More research and international cooperation are important to build a fair and effective system that will deal with the cyber warfare.

Submitted By- Kalyani Chaple

School of Law, University of Mumbai, Thane Sub-campus.

Name- Kalyani Chaple
University of Mumbai, Thane Sub-campus